challenge validity duration
1,804 views
Skip to first unread message
Raphaël Droz
Jul 7, 2016, 11:17:08 AM7/7/16
to reCAPTCHA
Hi,
I intend to use recaptcha but I'm processing submissions asynchronously: ALL entries are first stored
locally, but SPAM detection would rather happen later, when processing stored data.
As a consequence I do NOT want to verify IMMEDIATELY the user-submitted $_POST["g-recaptcha-response"] server-side.
We would rather want to store it locally along with the "job" information and check against
google.com service later.
How long can a captcha-user-submitted response be verified by the server? 10 minutes later? 6 hours later?
(I couldn't find this information in the documentation)
Thank you
Tobias R
Jul 7, 2016, 8:23:38 PM7/7/16
to reCAPTCHA
The answer to your question was posted 3 days ago in another question. You could have just scrolled down 10 to 20 entries ;)
Anyways it seems to be 2 min and you can't change it. See: https://groups.google.com/forum/#!topic/recaptcha/uHJM5JDsa6I
Anyways it seems to be 2 min and you can't change it. See: https://groups.google.com/forum/#!topic/recaptcha/uHJM5JDsa6I
Raphaël
Jul 7, 2016, 10:30:51 PM7/7/16
to reCAPTCHA
Thank you for the reply.
Indeed, I should have searched the "expire*" namespace to find the answer.
As other already complained, 2 minutes is too restrictive (in my case it's simply not an option).
Still, I don't know where this value comes from (documentation?) neither why it has been such defined.
best regards.
Indeed, I should have searched the "expire*" namespace to find the answer.
As other already complained, 2 minutes is too restrictive (in my case it's simply not an option).
Still, I don't know where this value comes from (documentation?) neither why it has been such defined.
best regards.
Tobias R
Jul 8, 2016, 10:39:11 AM7/8/16
to reCAPTCHA
The expiration time seems to be undocumented. Google says: "The reCAPTCHA verification expires after a certain
amount of time so it is best to complete the reCAPTCHA verification last
on a website you are accessing." (from https://support.google.com/recaptcha/?hl=en)
I suggest you query google with that POST request immediately to verify the users input as described in the docs. You can then store that answer in your system and validate if success = true anytime later. That way you have no timeout. If thats no option please explain why.
I suggest you query google with that POST request immediately to verify the users input as described in the docs. You can then store that answer in your system and validate if success = true anytime later. That way you have no timeout. If thats no option please explain why.
Raphaël
Jul 8, 2016, 10:59:09 AM7/8/16
to reCAPTCHA
When the visitor submits the resource I want to reply immediately and avoid any unnecessary load.
For that reason I already defer most to the submission processing work (HTTP calls) and only "store and forget".
Storing the token and have it verified later is part of this process of deferring submission processing.
Having a blocking HTTP call creates an issue here (page load time to begin with), even if I can be confident in Google net, even if I can modify sockets timeout, even if ...
Changing the backend technology (PHP) for this sole purpose is not an option either.
Hope that helps
For that reason I already defer most to the submission processing work (HTTP calls) and only "store and forget".
Storing the token and have it verified later is part of this process of deferring submission processing.
Having a blocking HTTP call creates an issue here (page load time to begin with), even if I can be confident in Google net, even if I can modify sockets timeout, even if ...
Changing the backend technology (PHP) for this sole purpose is not an option either.
Hope that helps
Tobias R
Jul 8, 2016, 1:04:14 PM7/8/16
to reCAPTCHA
You could store the response and use a cron job on a non critical server to do the checking every minute thus avoiding any timeout on the users end as well as with googles recaptcha.
I'm curious why you are using a captcha at all if you allow any request to proceed regardless of the captchas success status? Sounds like a "accept all, revert later" strategy. What do you do once a user finds out you accept every captcha response no matter if it's correct or not? Your strategy here sounds dangerous and uncommon so far.
I'm curious why you are using a captcha at all if you allow any request to proceed regardless of the captchas success status? Sounds like a "accept all, revert later" strategy. What do you do once a user finds out you accept every captcha response no matter if it's correct or not? Your strategy here sounds dangerous and uncommon so far.
Reply all
Reply to author
Forward
0 new messages